From 22f5f0ba758b2613ffb71e3a3bc473de3bf149ea Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Fri, 12 Jan 2024 09:52:08 +0200
Subject: [PATCH] Add support for exposing metrics for Synapse (without
 workers)

---
 group_vars/matrix_servers                     |  7 +++
 roles/custom/matrix-synapse/defaults/main.yml | 15 ++++++-
 .../matrix-synapse/tasks/validate_config.yml  |  3 ++
 .../templates/synapse/labels.j2               | 45 +++++++++++++++++++
 4 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 82bb7f94c..1e3c0e0f4 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -4187,6 +4187,9 @@ matrix_synapse_container_labels_client_synapse_admin_api_enabled: "{{ matrix_syn
 
 matrix_synapse_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
 
+matrix_synapse_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
+matrix_synapse_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
+
 # For exposing the Synapse worker (and metrics) ports to the local host.
 matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}"
 
@@ -4205,6 +4208,10 @@ matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_
 # If someone instals Prometheus via the playbook, they most likely wish to monitor Synapse.
 matrix_synapse_metrics_enabled: "{{ prometheus_enabled }}"
 
+matrix_synapse_metrics_proxying_enabled: "{{ matrix_synapse_metrics_enabled and matrix_metrics_exposure_enabled }}"
+matrix_synapse_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
+matrix_synapse_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/synapse"
+
 matrix_synapse_email_enabled: "{{ exim_relay_enabled }}"
 matrix_synapse_email_smtp_host: "{{ exim_relay_identifier }}"
 matrix_synapse_email_smtp_port: 8025
diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml
index ce19f278e..e396ef928 100644
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -229,6 +229,18 @@ matrix_synapse_container_labels_federation_api_traefik_entrypoints: ''
 matrix_synapse_container_labels_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_federation_api_traefik_entrypoints != 'web' }}"
 matrix_synapse_container_labels_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 
+# Controls whether labels will be added that expose metrics (see `matrix_synapse_metrics_proxying_enabled`)
+matrix_synapse_container_labels_metrics_enabled: "{{ matrix_synapse_metrics_enabled and matrix_synapse_metrics_proxying_enabled }}"
+matrix_synapse_container_labels_metrics_traefik_path: "{{ matrix_synapse_metrics_proxying_path_prefix }}/main-process"
+matrix_synapse_container_labels_metrics_traefik_rule: "Host(`{{ matrix_synapse_metrics_proxying_hostname }}`) && Path(`{{ matrix_synapse_container_labels_metrics_traefik_path }}`)"
+matrix_synapse_container_labels_metrics_traefik_priority: 0
+matrix_synapse_container_labels_metrics_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}"
+matrix_synapse_container_labels_metrics_traefik_tls: "{{ matrix_synapse_container_labels_metrics_traefik_entrypoints != 'web' }}"
+matrix_synapse_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+matrix_synapse_container_labels_metrics_middleware_basic_auth_enabled: false
+# See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
+matrix_synapse_container_labels_metrics_middleware_basic_auth_users: ''
+
 # matrix_synapse_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -598,7 +610,8 @@ matrix_synapse_grafana_dashboard_urls:
 # - `matrix.DOMAIN/metrics/synapse/main-process` for the main process
 # - `matrix.DOMAIN/metrics/synapse/worker/{type}-{id}` for each worker process
 matrix_synapse_metrics_proxying_enabled: false
-# TODO - add variables for controlling the hostname, path prefix, etc.
+matrix_synapse_metrics_proxying_hostname: ''
+matrix_synapse_metrics_proxying_path_prefix: /metrics/synapse
 
 # Enable the Synapse manhole
 # See https://github.com/matrix-org/synapse/blob/master/docs/manhole.md
diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml
index 0f6dec888..e140f3521 100644
--- a/roles/custom/matrix-synapse/tasks/validate_config.yml
+++ b/roles/custom/matrix-synapse/tasks/validate_config.yml
@@ -28,6 +28,9 @@
     - {'name': 'matrix_synapse_container_labels_federation_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_federation_api_enabled }}"}
     - {'name': 'matrix_synapse_container_labels_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_federation_api_enabled }}"}
 
+    - {'name': 'matrix_synapse_metrics_proxying_hostname', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
+    - {'name': 'matrix_synapse_metrics_proxying_path_prefix', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
+
 - name: Fail if asking for more than 1 instance of single-instance workers
   ansible.builtin.fail:
     msg: >-
diff --git a/roles/custom/matrix-synapse/templates/synapse/labels.j2 b/roles/custom/matrix-synapse/templates/synapse/labels.j2
index 6ed1ca131..629edfb8b 100644
--- a/roles/custom/matrix-synapse/templates/synapse/labels.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/labels.j2
@@ -7,6 +7,7 @@ traefik.docker.network={{ matrix_synapse_container_labels_traefik_docker_network
 
 traefik.http.services.matrix-synapse-client-api.loadbalancer.server.port={{ matrix_synapse_container_client_api_port }}
 traefik.http.services.matrix-synapse-federation-api.loadbalancer.server.port={{ matrix_synapse_container_federation_api_plain_port }}
+traefik.http.services.matrix-synapse-metrics.loadbalancer.server.port={{ matrix_synapse_metrics_port }}
 
 
 {#
@@ -171,6 +172,50 @@ traefik.http.routers.matrix-synapse-federation-api.tls.certResolver={{ matrix_sy
 	/Federation-API (/_matrix)
 #}
 
+{#
+	Metrics (e.g. /metrics/synapse/main-process)
+#}
+{% if matrix_synapse_container_labels_metrics_enabled %}
+
+{% set metrics_middlewares = [] %}
+
+{% if matrix_synapse_container_labels_metrics_middleware_basic_auth_enabled %}
+{% set metrics_middlewares = metrics_middlewares + ['matrix-synapse-metrics-basic-auth'] %}
+traefik.http.middlewares.matrix-synapse-metrics-basic-auth.basicauth.users={{ matrix_synapse_container_labels_metrics_middleware_basic_auth_users }}
+{% endif %}
+
+{% set metrics_middlewares = metrics_middlewares + ['matrix-synapse-metrics-replacepath'] %}
+traefik.http.middlewares.matrix-synapse-metrics-replacepath.replacepath.path=/_synapse/metrics
+
+traefik.http.routers.matrix-synapse-metrics.rule={{ matrix_synapse_container_labels_metrics_traefik_rule }}
+
+{% if metrics_middlewares | length > 0 %}
+traefik.http.routers.matrix-synapse-metrics.middlewares={{ metrics_middlewares | join(',') }}
+{% endif %}
+
+{% if matrix_synapse_container_labels_metrics_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-synapse-metrics.priority={{ matrix_synapse_container_labels_metrics_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-synapse-metrics.service=matrix-synapse-metrics
+traefik.http.routers.matrix-synapse-metrics.entrypoints={{ matrix_synapse_container_labels_metrics_traefik_entrypoints }}
+
+traefik.http.routers.matrix-synapse-metrics.tls={{ matrix_synapse_container_labels_metrics_traefik_tls | to_json }}
+{% if matrix_synapse_container_labels_metrics_traefik_tls %}
+traefik.http.routers.matrix-synapse-metrics.tls.certResolver={{ matrix_synapse_container_labels_metrics_traefik_tls_certResolver }}
+{% endif %}
+
+{% if matrix_synapse_container_labels_metrics_middleware_basic_auth_enabled %}
+traefik.http.routers.matrix-synapse-metrics.middlewares=matrix-synapse-metrics-basic-auth
+traefik.http.middlewares.matrix-synapse-metrics-basic-auth.basicauth.users={{ matrix_synapse_container_labels_metrics_middleware_basic_auth_users }}
+{% endif %}
+
+{% endif %}
+{#
+	/Metrics (e.g. /metrics/synapse/main-process)
+#}
+
+
 {% endif %}
 
 {{ matrix_synapse_container_labels_additional_labels }}